The industry is, by now, fully aware of GDPR which provides new rights for consumers. The changes go live in 218 days and will enhance protection for consumers, but in doing so will present some challenges to the market place. 

We believe that some of the biggest challenges our industry will face are –

  • Customers who frequent forums and consumer advice websites are often provided with inaccurate guidance around their rights and timescales for (eg) Subject Access Requests.  It is likely that this will be compounded by the reduced turnaround time from 40 to 30 days. 
  • The changes also bring a new level of Individual Accountability to anyone involved in processing SARs.  DCAs, Clients, Supply Chain team members will all need to ensure adequate resource is applied to the function to comply, as the fines awarded under GDPR failings are significantly higher than those previously experienced under the Data Protection Act , carrying an upper limit of €20 million or 4% of annual turnover.
  • The changes needed reflect a digitally advanced market place.  Firms who are not technically advanced will initially experience a greater manual workload to accommodate with new processes to reflect this.  It’s likely that the introduction of GDPR will also drive our industry towards more digital and automated solutions.
  • Perhaps the biggest challenge at this point in time is the fact that not all the guidance has been released yet, which means the full extent of changes required is not yet known by anyone. 

What impact can you expect on your business?

  • Organisations will have to deal with requests more quickly, as well as providing additional information
  • Individuals already have a right to access their personal data through a SAR. However, it will generally be free to make those requests and individuals will be entitled to receive the information in an electronic format.

Needless to say, our industry may see customers seeking to block or slow the process relating to their account by use of the new rules – that will be unfortunate, given the effort which goes into seeking rehabilitation, but it may well happen.

What actions can you take to prepare?

  1. Update your procedures and plan how you will handle SARs and provide any additional information within the new timescales
  2. Develop template response letters to ensure that all elements of a response to a SAR under the GDPR are being complied with
  3. Assess your organisation’s liability to quickly isolate data pertaining to a specific individual and to provide data in compliance with the GDPR’s format obligations
  4. Ensure that employees are trained to quickly recognise and response appropriately to SARs.
  5. Consider putting a ‘data subject access portal’ in place allowing an individual to access their information easily online and minimising cost for the data controller dealing with the SAR.

Glen Walker, Associate Director and Chief Compliance Officer at Ascent Performance Group